VoIP security is not optional — it is a operational requirement that protects your revenue and your customers’ data. The most common VoIP security failure is not a sophisticated hack. It is a compromised SIP trunk that gets used for toll fraud — unauthorized international calls that run up thousands of dollars in charges over a weekend while nobody is watching. The second most common is credential theft through brute-force attacks on SIP registration ports. Both are preventable with basic security practices that too many operators skip.
This guide covers VoIP security from the carrier perspective. SIPNEX is an FCC-licensed carrier that provides SIP trunking with carrier-level security controls. We implement security at the network layer so our customers start from a protected baseline, but your own network configuration is equally important.
The threat landscape for VoIP
Toll fraud is the number one financial risk. Attackers compromise a SIP trunk or PBX and use it to place international calls — typically to premium-rate numbers in countries where the attacker receives a revenue share from the terminating carrier. A compromised trunk generating calls to premium destinations for 48 hours (a common weekend attack window) can generate $10,000 to $50,000 in charges. The business that owns the trunk is liable for those charges because the calls originated from their authenticated system.
How it happens: weak SIP credentials (simple passwords, default passwords), exposed SIP ports on the public internet without firewall rules, or a compromised PBX application (unpatched Asterisk, vulnerable FreePBX web interface).
Eavesdropping on VoIP calls is possible when SIP signaling and RTP media are transmitted unencrypted. SIP messages contain call metadata (who called whom, when, from what number). RTP streams contain the actual voice audio. On an unencrypted connection, anyone with access to the network path can capture and listen to calls. This is a concern for any business handling sensitive information — healthcare (HIPAA), financial services, legal, and government.
Denial of Service (DoS/DDoS) attacks target VoIP infrastructure by flooding SIP ports with malformed requests or overwhelming media servers with traffic. A successful DoS attack takes your phone system offline — no inbound or outbound calling. SIP-specific DoS attacks exploit the protocol’s stateful nature — a flood of SIP INVITE messages without completing call setup can exhaust your PBX’s session capacity.
Vishing (Voice Phishing) uses VoIP to impersonate legitimate businesses — banks, government agencies, utility companies — to extract sensitive information from consumers. This is the caller ID spoofing problem applied for fraud purposes. STIR/SHAKEN is the primary defense against vishing at the network level.
Registration hijacking occurs when an attacker obtains your SIP credentials and registers their own system to your carrier account, redirecting your inbound calls or placing unauthorized outbound calls. Weak credentials and unencrypted SIP registration (where credentials are visible in network traffic) are the primary vectors.
Carrier-level security measures
SIPNEX implements security at the network layer. These protections apply to all customers automatically.
IP-based access controls. For IP-authenticated trunks, we only accept SIP traffic from your registered IP addresses. Traffic from any other source is dropped. This eliminates the risk of credential-based attacks entirely because authentication is based on network identity, not passwords. IP authentication is the most secure trunk authentication method and is recommended for all fixed-location PBX installations.
Digest authentication with strong credentials. For trunks using digest (username/password) authentication, we enforce minimum credential complexity and support TLS-encrypted registration to prevent credential interception.
TLS for signaling encryption. SIPNEX supports TLS (Transport Layer Security) on SIP port 5061. TLS encrypts the SIP signaling channel — all call setup, teardown, and metadata is encrypted in transit. This prevents eavesdropping on call metadata and protects SIP credentials during digest authentication.
SRTP for media encryption. SIPNEX supports SRTP (Secure Real-time Transport Protocol) for encrypting voice audio. When both the originating and terminating sides support SRTP, the actual conversation is encrypted end-to-end. This is essential for HIPAA compliance, financial services, and any operation where call content is sensitive.
Rate limiting and anomaly detection. Our network monitors for traffic patterns consistent with toll fraud (sudden spike in international calls, calls to known premium-rate number ranges, unusual calling hours). When suspicious patterns are detected, we can throttle the traffic and notify the customer before the damage accumulates.
STIR/SHAKEN. Our STIR/SHAKEN implementation prevents your numbers from being spoofed by others and provides cryptographic verification that your outbound calls are legitimate. This is both a compliance feature and a security feature — it protects your brand identity on the telephone network.
Your security responsibilities
Carrier-level security protects the trunk. Your security protects the PBX.
Firewall your SIP ports. SIP uses ports 5060 (UDP/TCP) and 5061 (TLS). RTP uses a range of UDP ports (typically 10000-20000). Only allow traffic to these ports from your carrier’s IP addresses (SIPNEX provides our SIP proxy IPs during provisioning) and from authorized endpoint IPs. Block everything else. An open SIP port on the public internet will be discovered and attacked within hours — SIP scanners run continuously across the entire IPv4 address space.
Use strong SIP credentials. If using digest authentication, use passwords that are at least 16 characters with mixed case, numbers, and symbols. Never use default credentials. Never reuse credentials across systems. Change credentials if any team member with access leaves the organization.
Keep your PBX updated. Asterisk, FreePBX, and VICIdial all receive regular security updates. Unpatched systems are the most common entry point for PBX compromise. Subscribe to the security mailing lists for your platform and apply patches promptly.
Monitor for unauthorized international calls. Set up alerting for calls to international destinations that your operation does not normally call. If your business only calls US domestic numbers, any international call is suspicious. Many PBX systems allow you to block international dialing entirely — if you do not need it, disable it.
Use TLS and SRTP. Configure your PBX to use TLS for SIP signaling (port 5061) and SRTP for media. This encrypts both the call setup and the conversation. The performance impact is minimal on modern hardware. The security benefit is substantial.
Limit registration sources. If your PBX supports it, restrict which IP addresses can register extensions. This prevents an attacker who obtains extension credentials from registering a rogue endpoint from an external IP.
Frequently asked questions
Is VoIP secure?
VoIP can be highly secure when properly configured. SIP supports TLS for signaling encryption and SRTP for media encryption. IP-based authentication eliminates credential-based attacks. Carrier-level rate limiting and anomaly detection protect against toll fraud. The security risks in VoIP come from poor configuration — open SIP ports, weak passwords, unpatched software, and unencrypted connections. A properly secured VoIP deployment with carrier-level protections (SIPNEX provides these by default), a firewalled PBX, strong credentials, and encryption enabled is as secure as or more secure than traditional landline service.
What is toll fraud and how do I prevent it?
Toll fraud is unauthorized use of your SIP trunk or PBX to place expensive international calls, typically to premium-rate numbers where the attacker receives a revenue share. Prevention: firewall your SIP ports to allow traffic only from your carrier’s IP addresses and authorized endpoints. Use IP-based authentication instead of digest authentication where possible. Keep your PBX software updated. Disable international dialing if your business does not need it. Monitor your CDRs for unexpected international calls. Set up spending alerts with your carrier. SIPNEX implements carrier-level anomaly detection that can flag suspicious international calling patterns before they accumulate significant charges.
Do I need encryption for VoIP calls?
If your calls involve sensitive information (healthcare/HIPAA, financial data, legal discussions, personal information), yes — you should use TLS for SIP signaling and SRTP for media. Even if your call content is not sensitive, TLS protects your SIP credentials during digest authentication, preventing credential theft. The performance impact of encryption on modern hardware is negligible. SIPNEX supports both TLS (port 5061) and SRTP. Configure your PBX to use them and verify encryption is active by checking your SIP connection parameters.
How do I protect my VoIP system from DDoS attacks?
Basic protection: firewall your SIP ports to allow traffic only from known sources (your carrier, your endpoints). Advanced protection: use a SIP-aware firewall or session border controller (SBC) that can detect and block malformed SIP requests, rate-limit SIP registration attempts, and identify flood patterns. Carrier-level protection: SIPNEX implements rate limiting on our network edge that absorbs volumetric attacks before they reach your trunk. For mission-critical operations, consider hosting your PBX in a data center with DDoS mitigation infrastructure rather than on-premises behind a standard business internet connection.
SIPNEX provides carrier-level security on every SIP trunk — IP authentication, TLS/SRTP support, rate limiting, anomaly detection, and STIR/SHAKEN identity protection. Secure your voice infrastructure or see our rates.
Keep Reading
SIPNEX
FCC-licensed carrier with its own STIR/SHAKEN SP certificate. Operator-owned. SIP trunks built for operators who dial at volume.